I'm configuring a secure VLAN environment when I don't want ports to be able to see, or attempt to communicate with any other port on the VLAN, aside from of course, the Gateway port. I know to use a protected port configuration for that.
My question lies in some verbiage within the Config Guide for the 2960 switches I'm using. After Port Protection in the guide, it mentions Port Blocking. The verbiage says:
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.
In the Port Protection section, it says:
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected
ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
So, does this infer that the only reason I would need to configure port blocking on ports in this VLAN, where all ports are configured as protected, would be to protect them from a port that is NOT configured as protected? The verbiage seems to imply that a protected port cannot send U/M/B traffic to any other protected port, but it is itself vulnerable if port blocking is not configured. Or would it be advisable to configure port blocking along with the port protection?
Yes, you are correct. You can configure port blocking along with port protection. No traffic is forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.
Understood about using the protected port feature, my question was, should I also configure port blocking? As the verbiage from the configure guides seems to indicate protected ports are still vulnerable to U/M/B floods.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...